Metadata-Version: 2.4
Name: upsec-webhook
Version: 1.0.0
Summary: UpSec Webhook signature verification SDK for Python
Classifier: Programming Language :: Python :: 3
Classifier: License :: OSI Approved :: MIT License
Classifier: Topic :: Security
Requires-Python: >=3.8
Description-Content-Type: text/markdown
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: requires-python
Dynamic: summary

# upsec-webhook

Official Python SDK for verifying UpSec webhook signatures.

## Installation

```bash
pip install upsec-webhook
```

## Quick Start

```python
from upsec import verify_signature

is_valid = verify_signature(
    payload=request.get_data(),
    secret=os.environ["WEBHOOK_SECRET"],
    signature=request.headers.get("X-Hub-Signature-256", ""),
)
```

## Flask Decorator

```python
from upsec.middleware import flask_webhook

@app.route("/webhook", methods=["POST"])
@flask_webhook(secret=os.environ["WEBHOOK_SECRET"])
def handle_webhook():
    # Signature verified automatically
    return {"ok": True}
```

## API

### `verify_signature(payload, secret, signature, algorithm="sha256")`

Returns `True` if the HMAC signature is valid. Uses constant-time comparison.

### `sign_payload(payload, secret, algorithm="sha256")`

Returns a signed header string like `sha256=<hex>`. Useful for testing.

### `flask_webhook(secret, header, algorithm)`

Flask decorator that auto-rejects invalid signatures with 401.
